Cybersecurity in Fare SystemsA Multi-Layered Approach for Responding

and Preventing Cyber Attacks

Freddie Fuller

Jacobs Engineering, VP Fare Systems

Washington, DC

Key Presentation Take-Aways

• Cyber Attack Prevention and Response in Fare Payment Systems Requires More Than Technology

• A Cybersecurity Framework Supported by Policies and Procedures Must be Developed

• Cybersecurity is a Team Sport – Requires Multiple Stakeholder Engagement

• Incident Response Must Be Planned and Rehearsed

• Fare Payment Systems Cybersecurity Extends Beyond PCI-DSS

Ransomware Attacks in the NewsFare Systems are Targets

SF MUNI; City of Atlanta; Colorado Department of Transportation

City and County of Honolulu Department of Information Technology

• Customer Use Case is Honolulu Area Rapid Transit System (HART) Fare Payment Systems Implementation

• City and County of Honolulu Department of Information Technology developed a solid framework with policies and procedures based on NIST SP 800-53r5

• Agency worked collaboratively with their Fare Systems vendor – INIT™Systems to develop a cybersecurity framework to protect Fare Systems

Incident Response PlansWhat You Can Do Today for FREE

5 Things You Can Do Today to Be Prepared or a Cybersecurity Incident:

• Know your assets – hardware, software, network – keep a current and easily accessible inventory which includes version information, tech support information etc. Most Enterprise Asset Management or Configuration Management Databases (CMDB’s) provide this functionality.

• Have a plan and make sure everyone knows where it is. A cybersecurity incident response plan is required by most cybersecurity insurance providers and cybersecurity regulatory bodies. The plan has to be tailored for your environment and all fare systems support personnel must be familiar with the plan contents.

• Train, train, train – Conduct tabletop exercises on an annual basis as a minimum. Ensure all key fare systems support personnel are engaged in these exercises.

• Establish a clear command and control hierarchy and communicate that to all stakeholders. An incident commander must be assigned for each incident to maintain cohesiveness and bring the incident to resolution. The incident commander will direct activities as needed for all technology mitigations including but not limited to hardware, software, and network.

• Socialize your incident response plan with agency legal, public communications, human resources, and senior management and include these stakeholders in tabletop exercises.

Incident Response Plans City and County of Honolulu Answered All

These Questions Below

• Do you have a contract with an Incident Response Company?

• Do you know your Cybersecurity Insurance Policy?

• How will you staff your Incident Response 24x7 when an incident occurs?

• What will your command and control look like? Who’s in Charge?

• Do you have a detailed Plan in Place?

• Have you performed “Table Top” Exercises to Practice BEFORE you are attacked?

Incident Response Plan Key Controls NIST SP 800-53r5

Incident MonitoringTechnology

• Install automated tools that assist in incident detection, prevention, and

monitoring such as a Security Incident and Event Monitoring (SIEM)

platform, Intrusion Prevention System (IPS), endpoint antivirus and

malware detection software, and vulnerability management scanning

tools.

• Subscribe to advisory lists ICS-CERT at https://ics-cert.us-cert.gov/, US-

CERT at https://www.us-cert.gov/, and the Common Vulnerabilities and

Exposures (CVE) Announce List at http://cve.mitre.org. Review

advisories on a daily basis and take action to mitigate vulnerabilities in

the transit payment systems environment.

Incident MonitoringActions To Take

• Participate in the local FBI Infragard chapter to be kept apprised of all critical infrastructure cybersecurity activity. Membership application can be found at https://www.infragard.org/. Membership application can take up to 3 months for response.

• Maintain online documentation for each cybersecurity incident in accordance with the Incident Response Plan in IR-8.

Incident Response Information Sharing for Public Agencies

• Subscribe to multiple Information Sharing and Analysis Center (ISAC) groups including but not limited to:

• Public Transportation Information Sharing and Analysis Center (PT-ISAC) https://www.surfacetransportationisac.org/

• Surface Transportation Information Sharing and Analysis Center (ST-ISAC) https://www.surfacetransportationisac.org/

• Over the Road Bus Information Sharing and Analysis Center (OT-RB ISAC) https://www.surfacetransportationisac.org/

• Multi-State Information Sharing and Analysis Center (MS-ISAC) https://www.cisecurity.org/ms-isac/

Incident Reporting for Public AgenciesWho Do You Tell?

All cybersecurity incidents in the payment systems environment shall be documented and kept in archival files for a minimum of 1 year. Additionally, significant cybersecurity incidents such as those categorized as high impact shall be reported to at least one the following agencies:

• FBI Field Office Cyber Task Forces at http://www.fbi.gov/contact-us/field

• State of Hawaii has Specific Enhanced Requirements

• National Cyber Investigative Joint Task Force at cywatch@ic.fbi.gov

• United States Secret Service Field Offices and Electronic Crimes Task Forces (ECTFs) at http://www.secretservice.gov/contact/field-offices

• United States Immigration and Customers Enforcement/Homeland Security Investigations (ICE/HIS) at https://www.ice.gov/webform/hsi-tip-form

• National Cybersecurity and Communications Integration Center (NCCIC) email at hccic@hq.dhs.gov

• United States Computer Emergency Readiness Team at http://www.us-cert.gov

Incident Response Plan Include Contact Info IN the Plan

City and County of Honolulu provides a list of incident response support resources to all transit payment system administrators and internal users. The support resources include but are not limited to:

• DIT Service Desk Manager 24/7 contact information Service Desk Number 888-888-8888

• OTS (Bus) Service Desk Manager 24/7 contact information

• DTS (Call Center) Service Desk Manager 24/7 contact information

• INIT (Support Vendor) Service Desk Manager 24/7 contact information contact INIT Service Desk Number at

• Named 3rd party Digital Forensics Contractors 24/7 contact information

• Named 3rd party Cybersecurity Incident Response Contractors 24/7 contact information

Incident Response Plans for Fare SystemsWho Cares?

• Note – DHS offers FREE risk assessments for all critical infrastructure agencies such as transportation in the United States. The first question they will ask is to see your Incident Response Plan. https://www.us-cert.gov/resources/ncats

• Many Cybersecurity Insurance companies will also ask for a copy of your agency specific incident response plan

Incident Response PlansInformation Spillage

• Information spillage refers to an instance where sensitive, classified or protected information such as Payment Card Industry (PCI) or Personally Identifiable Information (PII) is accidentally or maliciously placed on unprotected systems.

• Actions must be taken to mitigate the spillage otherwise the spillage may result in a data breach.

Incident ResponseIntegrated Response Team

• Cybersecurity is a TEAM Sport

• The objective of this team is to perform cybersecurity Tactics, Techniques, and Procedures (TTP) during and post-incident.

• Advance identification of this team will decrease the Time To Repair (TTR) and mitigate cybersecurity incidents.

• The integrated information security analysis team for the transit fare payment systems should include:

• Internal or external digital forensics analysts

• Internal or external cybersecurity threat hunter developers

• Internal operations personnel

• Systems Vendor and Internal cybersecurity, network, server, application, and database staff

Key Take-Aways

• Cybersecurity for Fare Payment Systems requires multiple layers of protection:

• Technology such as SIEMs, IPS, IDS

• Framework such as NIST 800 series or ISO 27000

• Policies and Procedures supporting chosen Framework

• Awareness and Training for all support staff

• Incident Response Planning and Exercises

• A TEAM APPROACH - Cybersecurity is a TEAM SPORT

COOL WEBSITES AND LINKS

SHODANhttps://www.shodan.io

• Raw Direct Access to Unprotected Industrial Control Systems; your Neighbor’s unsecured NEST temperature control or an unsecured Transit Agency CCTV camera

• If it is IP based and Unsecured – Shodan can find it online

NORSE ATTACK MAP SHOWS REAL TIME ATTACKS

http://map.norsecorp.com/#/

REFERENCES AND URL’S

APTA Communications and Control Security Working Group (CCSWG) -https://www.apta.com/resources/standards/security/Pages/default.aspx

TSA Transportation Systems Sector Cyber Working Group (TSSCWG) – Contact: Cybersecurity@tsa.dhs.gov

Passenger Transportation and Surface Transportation Information Sharing and Analysis Centers (PT-ISAC, ST-ISAC) email at st-isac@surfacetransportationisac.org

Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) cybersecurity insurance overview https://www.dhs.gov/cisa/cybersecurity-insurance

FREE CYBERSECURITY TOOLS

• DHS CSET Tool https://cset.inl.gov/SitePages/Home.aspx

• DHS GrassMarlin https://github.com/iadgov/GRASSMARLIN

• Kali Linux Toolset https://tools.kali.org/

• Others available on github include: plcscan, plcinject, Snap7, SCADAShutdown Tool

CYBERSECURITY REFERENCES

• NIST Special Publication 800-53 (Rev. 5), Security and Privacy Controls for Federal Information Systems and Organizations, at https://csrc.nist.gov/csrc/media/publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf

• NIST Special Publication 800-82 (Rev. 2), Guide to Industrial Control Systems (ICS) Security, at http://dx.doi.org/10.6028/NIST.SP.800-82r2

• ISA/IEC 62443 Industrial Automation Control Standards Series at https://webstore.iec.ch/publication/7033

• Center for Internet Security https://www.cisecurity.org/critical-controls.cfm

• ISO 27001 http://www.iso.org/iso/iso27001

• NIST National Vulnerability Database (NVD) https://nvd.nist.gov/download.cfm and

• Common Vulnerabilities and Exposures (CVE’s) provide by Mitre Corporation, subscribe at listserv@lists.mitre.org

• Open Security Architecture http://www.opensecurityarchitecture.org/cms/index.php

• Sysadmin, Audit, Network, and Security Technology Institute https://www.sans.org/

• Public Transportation and Surface Transportation Information Sharing and Analysis Center st-isac@surfacetransportationisac.org